Statement
of
Benjamin
H. Wu
Deputy
Under Secretary for Technology
Technology Administration
U.S. Department of Commerce
Before the
Committee on Government
Reform
Subcommittee on Government
Efficiency, Financial Management and Intergovernmental Relations
Subcommittee on Technology
and Procurement Policy
House of Representatives
United States Congress
“Views on H.R. 3844, the
Federal Information Security Management Act of 2002”
May 2, 2002
Good morning Chairman Horn and Members of the Subcommittee. On behalf of the Department of Commerce’s Technology Administration and its National Institute of Standards and Technology (NIST), thank you for the invitation to speak to you today. I am Ben Wu, Deputy Under Secretary for Technology at the Department of Commerce.
I am pleased to be here with you today to share with you the Department’s views on H.R. 3844, the Federal Information Security Management Act of 2002. I note that the Administration is still developing a position on H.R. 3844.
Let me first commend you, Mr. Chairman, and the entire Subcommittee for continuing your focus on the critical issue of cybersecurity in Federal departments and agencies. Today’s hearing will again remind Federal agencies that cybersecurity must be addressed in a comprehensive manner on a continuing basis. Like other elements of homeland defense, we are unlikely to ever be “finished” with cybersecurity. It demands the continuing attention of the Congress, the Executive Branch, industry, academia, and the public.
The NIST security program supports the nation’s homeland defense effort as well as E-Government by enabling improvements in service to our citizens through secure electronic programs. As I will discuss in greater detail shortly, in the area of cybersecurity, NIST has specific statutory responsibilities for Federal agencies under the Computer Security Act of 1987 and follow-on legislation, including the Government Information Security Reform Act (GISRA). NIST is responsible for developing standards and guidelines to assist Federal agencies in the protection of sensitive unclassified systems. This is in addition to our broad mission of strengthening the U.S. economy – including improving the competitiveness of America’s information technology (IT) industry. In support of this mission, we conduct standards and technology work to help industry produce more secure, yet cost-effective, products, which we believe will be more competitive in the marketplace. Having more secure products available in the marketplace will, of course, also benefit Federal agencies, because they principally use commercial products to construct and secure their systems.
NIST’s Computer Security Division in our Information Technology Laboratory (ITL) is the focal point of our cybersecurity program. We focus on a few key areas: cryptographic standards and applications; security research; security management; and security testing. Our testing program includes both the National Information Assurance Partnership (a joint NIST and the National Security Agency program) and the Cryptographic Module Validation Program (a joint NIST and Government of Canada program).
In his testimony to you on March 6, 2002, Dr. Arden Bement, the Director of NIST, provided a broad-ranging review of NIST’s activities undertaken to fulfill our important cybersecurity responsibilities. For the sake of brevity today, I would simply encourage you to see his testimony for details. (Available on line at http://www.nist.gov/testimony/2002/abgisra.html )
NIST’s Current Statutory Responsibilities
The Computer Security Act of 1987 was established to improve security and privacy of sensitive[1] information in Federal computer systems. In the realm of protecting sensitive unclassified information and systems, the Act assigned NIST responsibility to:
These NIST responsibilities for the security of Federal sensitive systems were re-emphasized under the Government Information Security Reform Act (GISRA) in 2000. Under GISRA, NIST is tasked to:
Proposed NIST Responsibilities under the Federal
Information Security Management Act
Under FISMA, NIST would have the following key responsibilities:
Additionally, germane to NIST’s key security responsibilities, FISMA would:
Comments on FISMA
Let me close by emphasizing that our national commitment to improve cybersecurity must be increased -- in Federal agencies and elsewhere. As Representative Davis’ bill again re-emphasizes, there is much more to be done to address cybersecurity in the Federal government. The NIST cybersecurity program has a proven track record of success and stands ready to play the enhanced role envisioned in FISMA.
Thank you, Mr. Chairman for the opportunity to present our views today on FISMA. I will be pleased to answer any questions that you and the other members of the Committee may have.
DEPUTY UNDER SECRETARY FOR
TECHNOLOGY
TECHNOLOGY ADMINISTRATION
BENJAMIN H. WU
Benjamin H. Wu was sworn in as Deputy Under Secretary for Technology at the U.S. Department of Commerce on November 6, 2001. In this capacity, he works along side Under Secretary Phillip J. Bond to support Commerce Secretary Don Evans in developing science and technology policies to maximize technology's contribution to America's economic growth.
The Office of the Under Secretary for Technology supervises policy development and direction among the Office of Technology Policy (OTP), the National Institute of Standards and Technology (NIST), the National Technical Information Service (NTIS), the Office of Space Commercialization (OSC), and other areas.
Prior to joining Commerce, Mr. Wu held senior staff positions in the U.S. Congress for thirteen years. Most recently, from 1995 until his current appointment, Ben led on technology issues with the Technology Subcommittee of the House Science Committee. He worked in Congress since 1988, having served as Counsel to Congresswoman Constance A. Morella of Maryland and on the Science Committee, first serving on the Investigations and Oversight Subcommittee staff in 1993.
Ben has extensive experience working on issues affecting United States technology and competitiveness policy. Specifically, he has focused on information technology, biomedical technology, and technology transfer policy. He has been the primary congressional staff member for legislation affecting federal intellectual property and federal technology transfer. Additionally, Ben has worked on Technology Administration issues since TA's inception in 1989, with particular emphasis on the National Institute of Standards and Technology. Ben was also the most senior member and the lead Committee staff of the House Y2K Task Force that directed congressional efforts to correct the Year 2000 computer problem.
Ben received a Bachelor of Arts from New York University in 1985 and a Juris Doctor from the University of Pittsburgh in 1988.
[1] The Computer Security Act provides a broad definition of the term "sensitive" information: “any information, the loss, misuse, or unauthorized access to or modification of which could adversely affect the national interest or the conduct of federal programs, or the privacy to which individuals are entitled under section 552a of title 5, United States Code (the Privacy Act), but which has not been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept secret in the interest of national defense or foreign policy.” Note that this definition implies that sensitive information does not necessarily require confidentiality protection, as does national security (i.e., classified) information.
[2] Currently, approximately $10 million of direct Congressional appropriations funds the NIST security technical staff of about 45 to support our Computer Security Act responsibilities.
[3] Under the Computer Security Act and a November 14, 1988 delegation of authority from the Secretary of Commerce, agencies may waive the use of mandatory standards when compliance would adversely affect the accomplishment of an agency’s mission or cause a major adverse financial impact that is not offset by governmentwide savings. Agencies must notify the Congress and publish a notice in the Federal Register of such decisions.